Received renewal email, certbot renew says none to renew, actual cert says not due to renewal until two months from now

Hi everyone!

I been reading the community topics similar to this, but none of the solutions I’ve seen seem to apply to my case.

So I have a dummy server (Captive portal) that needs a valid certificate in order to work.

I used the manual method, since the Captive portal does not allow to install certbot: “sudo certbot certonly --manual -d

When configuring it the first time around I created a CSR for a domain and a SAN, and validated the requests using CNAME entries on the public DNS domain.
The Server constantly complained that SANs where not supported, so when renovation time came, I split certificates for the root domain and for a subdomain instead of a SAN. Installed it and all is working fine ever since

But today I got an email warning me that I had 0 days left for the renewal of the certificate:


Your certificate (or certificates) for the names listed below will expire in
0 days (on 29 Aug 17 09:34 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.

I went ahead and did a certbot renew yet got:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/ (skipped)
/etc/letsencrypt/live/ (skipped)
No renewals were attempted.

After this I opened the certificates that are installed on the captive portal and got to see that, yes they are not due to renewal at all:

Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Not Before: Aug  4 15:00:00 2017 GMT
        Not After : Nov  2 15:00:00 2017 GMT

So are the email warnings wrong? Did I screw up somewhere?

Or maybe I’m getting warnings from the first certificate (the one with SANs) since it uses the same root domain? If so how do I stop the warnings being sent to the email when it’s not yet time?

Thanks in advance.

Hello @broadscha ,

You have issued 4 certificates for your domain, if you are already using the last certificates you should not worry about the e-mails:

2017/August/28 12:50:33 - Checking certs for

I have found 4 non expired certificates for domain and its subdomains *

CRT ID     DOMAIN (CN)                VALID FROM              VALID TO                EXPIRES IN  SANs
183946532         2017-Aug-04 16:02 CEST  2017-Nov-02 15:02 CET   66 days

183943292  2017-Aug-04 17:00 CEST  2017-Nov-02 16:00 CET   66 days

146533711  2017-May-31 11:42 CEST  2017-Aug-29 11:42 CEST  0 days

146531562         2017-May-31 11:34 CEST  2017-Aug-29 11:34 CEST  0 days


1 Like

Hi again,

So apparently the certificate loaded on the server is still valid, yet clients get a warning when loading the page of the captive portal saying that the connection is not secure and/or trust worthy.

Hi @broadscha,

Well you have valid certificates but that doesn't mean they are being used by your captive portal.

A screenshot of the error/warning could help. Also, what are the domains covered by that certificate?. You need to check them with your own browser.

Edit: If you are using the command line you could use below command to get the dates of the certificate served by your captive portal and the domains covered.

echo | openssl s_client -connect -servername 2>/dev/null | openssl x509 -noout -text | grep -E '(DNS|Not )' | sed -e 's/^ *//g'


No, the certificate given is the valid one. See the following screenshot:

The text in red complains that the host name is not valid, since is different than the one contained on the certificate but that is not true since the machine that has te certificate installed has the proper hostname:

$ ssh’s password:
root@portal ~> hostname
root@portal ~>

As of the open ssl command:

echo | openssl s_client -connect -servername 2>/dev/null | openssl x509 -noout -text | grep -E '(DNS|Not )' | sed -e 's/^ *//g' Not Before: Aug 4 15:00:00 2017 GMT Not After : Nov 2 15:00:00 2017 GMT

EDIT: I forgot to put the result from the openssl command.

Hi @broadscha,

The first error means that the web server is serving a certificate valid only for but the site you are connecting is another domain. What is the url you see in your browser when connecting to, maybe it is being redirected to another domain.

As it is inside your network I can’t test the connection to your portal.

Do you have the same error using other browsers?.


That is the weird thing.

Depending on the browser I get different errors. Chrome on Samsung devices:

I can venture that is because Letsencrypt is not on the trust store of the device.

IOs Devices:

They load the Web form alright with is weird on itself.

@broadscha, seems you are not serving the intermediate certificate we need to know how do you configured your captive portal to specify the path to the certs.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.